Allow swtpm (0.7.0 or later) to fsync on the directory where it writes
its state files into so that "the entry in the directory containing the
file has also reached disk" (fsync(2)).
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
src/security/virt-aa-helper.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 52cfebf6e0..e21557c810 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1250,8 +1250,11 @@ get_files(vahControl * ctl)
" \"%s/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
RUNSTATEDIR, shortName);
/* Paths for swtpm to use: give it access to its state
- * directory, log, and PID files.
+ * directory (state files and fsync on dir), log, and PID files.
*/
+ virBufferAsprintf(&buf,
+ " \"%s/lib/libvirt/swtpm/%s/%s/\" r,\n",
+ LOCALSTATEDIR, uuidstr, tpmpath);
virBufferAsprintf(&buf,
" \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n",
LOCALSTATEDIR, uuidstr, tpmpath);
--
2.31.1
On 7/13/21 8:38 PM, Stefan Berger wrote: > Allow swtpm (0.7.0 or later) to fsync on the directory where it writes > its state files into so that "the entry in the directory containing the > file has also reached disk" (fsync(2)). > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > --- > src/security/virt-aa-helper.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c > index 52cfebf6e0..e21557c810 100644 > --- a/src/security/virt-aa-helper.c > +++ b/src/security/virt-aa-helper.c > @@ -1250,8 +1250,11 @@ get_files(vahControl * ctl) > " \"%s/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n", > RUNSTATEDIR, shortName); > /* Paths for swtpm to use: give it access to its state > - * directory, log, and PID files. > + * directory (state files and fsync on dir), log, and PID files. > */ > + virBufferAsprintf(&buf, > + " \"%s/lib/libvirt/swtpm/%s/%s/\" r,\n", > + LOCALSTATEDIR, uuidstr, tpmpath); > virBufferAsprintf(&buf, > " \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n", > LOCALSTATEDIR, uuidstr, tpmpath); > Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Although it took me a bit to realize that 0.7.0 is yet to be released :-) Michal
On 7/14/21 3:13 AM, Michal Prívozník wrote: > On 7/13/21 8:38 PM, Stefan Berger wrote: >> Allow swtpm (0.7.0 or later) to fsync on the directory where it writes >> its state files into so that "the entry in the directory containing the >> file has also reached disk" (fsync(2)). >> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >> --- >> src/security/virt-aa-helper.c | 5 ++++- >> 1 file changed, 4 insertions(+), 1 deletion(-) >> >> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c >> index 52cfebf6e0..e21557c810 100644 >> --- a/src/security/virt-aa-helper.c >> +++ b/src/security/virt-aa-helper.c >> @@ -1250,8 +1250,11 @@ get_files(vahControl * ctl) >> " \"%s/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n", >> RUNSTATEDIR, shortName); >> /* Paths for swtpm to use: give it access to its state >> - * directory, log, and PID files. >> + * directory (state files and fsync on dir), log, and PID files. >> */ >> + virBufferAsprintf(&buf, >> + " \"%s/lib/libvirt/swtpm/%s/%s/\" r,\n", >> + LOCALSTATEDIR, uuidstr, tpmpath); >> virBufferAsprintf(&buf, >> " \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n", >> LOCALSTATEDIR, uuidstr, tpmpath); >> > Reviewed-by: Michal Privoznik <mprivozn@redhat.com> > > Although it took me a bit to realize that 0.7.0 is yet to be released :-) Right. And I am thinking of deactivating the 'offending' fsync in the Ubuntu version for quite a while until this AppArmor fix here has propagated. Thanks for pushing. Stefan > > Michal >
On 7/14/21 9:13 AM, Michal Prívozník wrote: > On 7/13/21 8:38 PM, Stefan Berger wrote: >> Allow swtpm (0.7.0 or later) to fsync on the directory where it writes >> its state files into so that "the entry in the directory containing the >> file has also reached disk" (fsync(2)). >> >> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> >> --- >> src/security/virt-aa-helper.c | 5 ++++- >> 1 file changed, 4 insertions(+), 1 deletion(-) >> >> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c >> index 52cfebf6e0..e21557c810 100644 >> --- a/src/security/virt-aa-helper.c >> +++ b/src/security/virt-aa-helper.c >> @@ -1250,8 +1250,11 @@ get_files(vahControl * ctl) >> " \"%s/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n", >> RUNSTATEDIR, shortName); >> /* Paths for swtpm to use: give it access to its state >> - * directory, log, and PID files. >> + * directory (state files and fsync on dir), log, and PID files. >> */ >> + virBufferAsprintf(&buf, >> + " \"%s/lib/libvirt/swtpm/%s/%s/\" r,\n", >> + LOCALSTATEDIR, uuidstr, tpmpath); >> virBufferAsprintf(&buf, >> " \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n", >> LOCALSTATEDIR, uuidstr, tpmpath); >> > > Reviewed-by: Michal Privoznik <mprivozn@redhat.com> > Just realized that you might not have commit access after we switched to gitlab. So I went ahead and pushed this for you. Michal
On Tue, Jul 13, 2021 at 2:42 PM Stefan Berger <stefanb@linux.vnet.ibm.com> wrote: > > Allow swtpm (0.7.0 or later) to fsync on the directory where it writes > its state files into so that "the entry in the directory containing the > file has also reached disk" (fsync(2)). > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> > --- > src/security/virt-aa-helper.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c > index 52cfebf6e0..e21557c810 100644 > --- a/src/security/virt-aa-helper.c > +++ b/src/security/virt-aa-helper.c > @@ -1250,8 +1250,11 @@ get_files(vahControl * ctl) > " \"%s/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n", > RUNSTATEDIR, shortName); > /* Paths for swtpm to use: give it access to its state > - * directory, log, and PID files. > + * directory (state files and fsync on dir), log, and PID files. > */ > + virBufferAsprintf(&buf, > + " \"%s/lib/libvirt/swtpm/%s/%s/\" r,\n", > + LOCALSTATEDIR, uuidstr, tpmpath); > virBufferAsprintf(&buf, > " \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n", > LOCALSTATEDIR, uuidstr, tpmpath); > -- > 2.31.1 > Patch looks fine to me. Reviewed-by: Neal Gompa <ngompa13@gmail.com> -- 真実はいつも一つ!/ Always, there's only one truth!
© 2016 - 2024 Red Hat, Inc.